-1

What is the best way to block country ips (Block many countries completely) to deny access to asp.net website running on Windows Server 2008? Currently the module in IIS is blocking the country ips, but I don't think that is the best way to do as request is already reaching the IIS and consuming its resources. I am looking for other alternatives to block country ips (The ip ranges are in thousands) in Windows firewall. Will Windows firewall be a performance bottleneck to filter thousands of ips? Does anybody know the best pattern to easily manage and handle such situation?

Kumar
  • 11
  • 2
  • You should really do this type of blocking before the request even gets onto your local network, this is usually done with a physical firewall device. Moreover, why are you blocking a bunch of countries? – Brent Pabst Jan 09 '13 at 15:40
  • The reason for blocking many countries is because service is only for North America and there are some countries which create unnecessary spams and eating up bandwidth. – Kumar Jan 09 '13 at 16:16
  • Why -1. I just asked how to block a country to access any website. – Kumar Jan 10 '13 at 14:39

2 Answers2

2

If you want to block them, but you're concerned about the resources being used even when the firewall rejects the request, then you'll have to ask your ISP to do it upstream. There's no other way around it.

And just so you know, if it's a DDoS or similar that you're worried about, the right way to do it is to have your ISP block it on the backbone.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
1

You should be blocking this at the edge of your network instead, through your corporate firewall. If you aren't responsible for this then get with the team that is.

If you are responsible, you'll need to research how to do it for your particular firewall.

For instance, Cisco has a great blog on this with links/details: http://blogs.cisco.com/security/block-a-country-with-my-cisco-router-or-firewall/

If you are already blocking it sufficiently with the simple IP range block in IIS, then transfer that knowledge up the line to the firewall instead.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191